Cyber Risk Brief: 28 May 2026
Disclaimer:This brief is governance commentary for leadership and risk teams, not incident notification, public attribution, legal advice, or quantitative risk analysis. Threat prioritization, framework mappings, attribution, and risk-zone groupings are informational only. Validate all technical claims against vendor advisories and internal telemetry before operational response.
Threat Intelligence Summary
One theme dominates today: the infrastructure organizations trust to build, manage, and secure software is itself the attack surface. T1 is a security tool turned delivery mechanism, a KEV-listed, actively-exploited FortiClient EMS flaw used to push a credential stealer to managed endpoints. T2, T3, and T5 are self-hosted developer platforms (Gogs, Gitea, Drupal). T4 reaches the telephony appliances most teams treat as a black box, and T6 sits in the TLS library beneath much of it.
CVE-2026-35616 · CVSS 9.8 · CISA KEV · actively exploited
FortiClient EMS improper-access-control flaw lets an unauthenticated attacker run code on the management server, then weaponize EMS's own push channel to deliver the EKZ credential stealer to the entire managed endpoint fleet.
Arctic Wolf · fake Fortinet update · KEV due 2026-04-09 (passed) · IMMEDIATE
No CVE · unpatched · Rapid7 · default-config RCE
Unpatched Gogs argument-injection flaw lets a self-registered user inject --exec into git rebase and run code as the Gogs server user, full repository and stored-credential compromise on default-configured, internet-facing instances.
DISABLE_REGISTRATION=false · 0.14.2 / 0.15.0+dev · no patch · IMMEDIATE
CVE-2026-27771 · CVSS 8.2 · ~4-year exposure
Gitea container registries treated 'private' images as accessible without authentication, exposing private container images, and the source code and secrets baked into them, across ~30,000 deployments in 30+ countries.
Noscope · fixed 1.26.2 · Forgejo affected · healthcare / aerospace / ISPs · 7D
CVE-2026-43284 / -43500 · public exploit · CCCS AV26-524
The 'Dirty Frag' Linux-kernel privilege-escalation chain (xfrm/ESP + rxrpc) lets a local attacker escalate to root. A public PoC exists, and CCCS lists the full Mitel/Unify appliance line as affected because they ship the vulnerable kernel.
github.com/V4bel/dirtyfrag · CVSS 8.8 / 7.8 · MiVoice / OpenScape / MiCollab · 7D
CVE-2026-9726 · Drupal 'Highly critical' · unauth RCE
Drupal's AlternativeCommerce (Basket) module passes unsanitized user input to PHP unserialize(), letting an anonymous visitor inject PHP objects for arbitrary code execution on the web server.
SA-CONTRIB-2026-038 · fixed 2.1.17 · contrib module · no public exploit · 7D
CCCS AV26-522 · cert-chain forgery · public_key
Three certificate-validation flaws in Erlang/OTP's public_key library, most seriously, acceptance of a non-CA cert as an intermediate issuer, let an adversary-in-the-middle forge a trusted chain, defeating TLS authentication for any service built on OTP.
GHSA chain forgery · RabbitMQ / ejabberd / CouchDB · OTP 29.0.1 / 28.5.0.1 · 7D
Strategic context: developer & self-hosted infrastructure is production attack surface
Half of today's register lands on self-hosted developer infrastructure, Gogs (unpatched RCE), Gitea (a four-year unauthenticated exposure of private images), and a Drupal commerce module (unauthenticated RCE). These systems hold source code, secrets, and build pipelines, yet are frequently governed with less rigor than production. The governance signal is not any single CVE but the pattern: version-control servers, registries, and the appliances and TLS libraries underneath them deserve the same inventory, patch-SLA, segmentation, and monitoring discipline as the crown-jewel systems they ultimately protect.
Threat Register: 28/05/2026
| Threat | |||||
|---|---|---|---|---|---|
| T1 | FortiClient EMS Improper Access Control, Active Exploitation (CVE-2026-35616) Any organization running FortiClient EMS to centrally manage endpoint security is exposed: CVE-2026-35616 lets an unauthenticated attacker run code on the management server itself, then weaponize EMS's own push mechanism to deliver malware to the entire managed fleet. Active campaigns are using it to deploy a credential-stealing payload masquerading as a Fortinet update, harvesting browser-stored passwords and session cookies, a direct path to account takeover and lateral movement. NVD/Fortinet rate it 9.8 (base) and CISA flagged it as known-exploited with a remediation deadline that has already lapsed. | 9.8 | — | Critical | Immediate |
| T2 | Gogs Argument-Injection RCE Zero-Day (no CVE assigned) Any organization self-hosting Gogs as its Git service is exposed: on a default-configured, internet-facing instance, an attacker can simply register an account and execute code on the server, gaining read access to every private repository and dumping stored credentials, password hashes, API tokens, SSH keys, and 2FA secrets. Rapid7 reports the flaw is an argument-injection bug in the rebase-merge workflow affecting the latest 0.14.2 and 0.15.0+dev releases, and it remains unpatched, so protection depends entirely on configuration hardening. For organizations using Gogs in their build pipeline, a single compromised instance is a direct path to source-code tampering and supply-chain compromise. | — | — | Critical | Immediate |
| T3 | Gitea Unauthenticated Private Container-Image Exposure (CVE-2026-27771) Organizations running self-hosted Gitea (or Forgejo) as a container registry have been unknowingly exposing their private images to the open internet: a flaw means the "private" setting never actually enforced authentication, so anyone could pull private container images without credentials. Roughly 30,000 deployments across 30+ countries were exposed, including healthcare, aerospace, retail, and ISPs, and the gap sat undetected for about four years. Because container images routinely embed source code, configuration, and hard-coded secrets, the practical impact is intellectual-property and credential exposure at scale, even though no remote code execution is involved. Gitea fixed it in 1.26.2. | 8.2 | — | High | 7 days |
| T4 | "Dirty Frag" Linux Kernel Privilege-Escalation Chain, Mitel/Unify Appliances (CVE-2026-43284, CVE-2026-43500) Organizations running Mitel or Unify voice and contact-center infrastructure are exposed: any attacker who gains local access to an affected appliance, via a compromised account, service, or chained app flaw, can escalate to root and fully control the device. The root cause is in the Linux kernel (the "Dirty Frag" chain), not Mitel's own code, but CCCS AV26-524 lists the full Mitel/Unify appliance line as affected because they ship the vulnerable kernel, and a public exploit is already available. On telephony infrastructure, root control can mean interception of call signaling, disruption of voice services, and a privileged pivot into adjacent network segments. | 8.8 | — | High | 7 days |
| T5 | Drupal AlternativeCommerce (Basket) Unauthenticated PHP Object-Injection RCE (CVE-2026-9726) Organizations running the Drupal AlternativeCommerce (Basket) e-commerce module are exposed to an unauthenticated remote code-execution flaw: any anonymous visitor can submit crafted serialized data that the module passes to PHP's unserialize(), opening the door to arbitrary PHP execution on the web server. Drupal rates it "Highly critical" (22/25). The footprint is limited to sites using this specific contrib module rather than Drupal core, and no public exploit exists yet, but for an affected e-commerce site, successful exploitation means full server compromise and customer-data exposure. | — | — | Critical | 7 days |
| T6 | Erlang/OTP public_key TLS Certificate-Validation Flaws (CCCS AV26-522) Organizations running services built on Erlang/OTP, message brokers, messaging servers, and databases such as RabbitMQ, ejabberd, and CouchDB, should know that the platform's TLS certificate-validation library has three flaws, the most serious of which lets an attacker forge a certificate chain the system will trust. In practice this weakens the guarantee that a TLS connection is actually talking to who it claims to: an adversary positioned in the network path could impersonate a trusted server or client and intercept supposedly-encrypted, authenticated traffic. There is no public exploit and no CVE assigned yet, but the fix is a straightforward OTP/public_key version bump. | — | — | High | 7 days |
| Select a row for narrative, affected systems, remediation, and sources. | |||||
Threat Actor Profiling
No threat in today's register carries confirmed group attribution; entries describe the exploitation pattern rather than naming an actor. MITRE technique codes are shown as hover-to-define abbreviations.
| Threats | Actor | Sectors | MITRE tradecraft | Kill chain |
|---|---|---|---|---|
| T1 | Unattributed infostealer operator, EKZ campaign (per Arctic Wolf), financially motivated | Endpoint Security / MSP, Enterprise IT | T1190T1059.001T1036.005T1555.003T1041 | Initial access via unauthenticated exploitation of the FortiClient EMS management interface (CVE-2026-35616) → code execution on the EMS server → abuse of EMS's legitimate management/push channel to deliver a fake Fortinet update (FortiEndpoint_Patch.exe) and execute PowerShell on managed endpoints → credential, cookie, and autofill theft from Chromium/Gecko browsers → exfiltration over HTTP to attacker C2 (83.138.53[.]110). |
| T2 | Unattributed threat actor, no confirmed in-the-wild exploitation; flaw disclosed by Rapid7 | Software Development / DevOps, Self-hosted Git | T1190T1078T1552T1565.001 | Self-registration on a default-configured, internet-facing Gogs instance (open registration) → create a repository and enable "Rebase before merging" → craft a pull-request branch name injecting the --exec flag into git rebase → code execution as the Gogs server user → read of all private repositories and dump of stored credentials (password hashes, API tokens, SSH keys, 2FA secrets) → potential source-code tampering and pivot. |
| T3 | Unattributed, no confirmed exploitation; flaw disclosed by Noscope | Software Development / DevOps, Healthcare, Aerospace, ISPs | T1190T1213 | Discovery of an internet-facing Gitea/Forgejo container registry → unauthenticated pull of "private" container images (CVE-2026-27771; the private designation did not enforce access control) → extraction of source code, configuration, and hard-coded secrets embedded in image layers → potential downstream use of leaked credentials. |
| T4 | Unattributed local-access actor, public PoC published (V4bel/dirtyfrag) | Telecommunications / Unified Comms, Contact Centers | T1068T1078 | Local access to an affected Mitel/Unify appliance (via a valid account, exposed service, or chained application flaw) → exploitation of the Dirty Frag Linux-kernel chain (xfrm/ESP write-what-where + rxrpc out-of-bounds write) to corrupt kernel page-cache memory → escalation to root on the appliance → potential interception of call signaling, disruption of voice services, and pivot into adjacent network segments. |
| T5 | Unattributed, no public exploit (Drupal lists status as theoretical / white-hat) | E-commerce, Web / CMS | T1190T1059 | Anonymous request to a Drupal site running the AlternativeCommerce (Basket) module → submission of crafted serialized data that the module passes to PHP unserialize() (CVE-2026-9726) → PHP object injection and arbitrary code execution on the web server given a viable gadget chain → full server compromise and customer-data exposure. |
| T6 | Unattributed adversary-in-the-middle actor | Messaging / Brokers, Databases, Infrastructure | T1557T1553 | Network position between an OTP-based service and its TLS peer → presentation of a forged certificate chain that exploits public_key validation flaws (non-CA cert accepted as intermediate issuer; hostname-verification weakness; OCSP-after-expiry) → defeat of TLS authentication and impersonation of a trusted server or client → interception of supposedly-encrypted, authenticated traffic. |
▶Table methodology & sourcing notes
- Attribution. None of today's threats are attributed to a named group in source reporting; actors are described by exploitation pattern. T1 references the EKZ infostealer campaign as observed by Arctic Wolf, but the operator is unattributed.
- T2 (Gogs), T1565.001 is Stored Data Manipulation. Sub-technique number and title are a fixed pair; repository/source tampering maps to .001 (not .003, which is Runtime Data Manipulation).
- T4 (Dirty Frag), Linux kernel root cause. CVE-2026-43284 (xfrm/ESP) and CVE-2026-43500 (rxrpc) are Linux kernel flaws; Mitel/Unify appliances are affected downstream because they embed the vulnerable kernel. Techniques map local privilege escalation, not a Mitel-application exploit.
Control Deficiency & Framework Mapping
| Threat | Control gaps | ISO 27001 | NIST CSF 2.0 | CIS Controls | Privacy Act / PIPEDA | ITSG-33 | OSFI B-13 | ISO 42001 |
|---|---|---|---|---|---|---|---|---|
T1FortiClient EMS Improper Access Control, Active Exploitation (CVE-2026-35616) |
| A.8.8, A.8.9, A.8.20, A.8.16 | ID.RA-01, PR.PS-02, DE.CM-09 | CIS 7, CIS 10, CIS 13 | — | SI-2, RA-5, SC-7, CM-7 | B-13 Patch Mgmt, B-13 Vulnerability Management | — |
T2Gogs Argument-Injection RCE Zero-Day (no CVE assigned) |
| A.8.8, A.8.9, A.8.16, A.8.22, A.8.25 | ID.RA-01, PR.PS-01, DE.AE-03, RS.MI-01 | CIS 7, CIS 16, CIS 12 | — | SI-2, RA-5, CM-7, SC-7 | B-13 Patch Mgmt, B-13 Governance | — |
T3Gitea Unauthenticated Private Container-Image Exposure (CVE-2026-27771) |
| A.8.8, A.5.15, A.8.3, A.8.4 | ID.RA-01, PR.AA-05, PR.DS-01 | CIS 6, CIS 16 | — | AC-3, AC-6, SI-2, RA-5 | B-13 Access Control, B-13 Third-Party Risk | — |
T4"Dirty Frag" Linux Kernel Privilege-Escalation Chain, Mitel/Unify Appliances (CVE-2026-43284, CVE-2026-43500) |
| A.8.8, A.8.9, A.8.20, A.8.22 | ID.AM-02, ID.RA-01, PR.PS-01, RS.MI-01 | CIS 7, CIS 12 | — | SI-2, RA-5, CM-7, SC-7 | B-13 Patch Mgmt, B-13 Vulnerability Management | — |
T5Drupal AlternativeCommerce (Basket) Unauthenticated PHP Object-Injection RCE (CVE-2026-9726) |
| A.8.8, A.8.9, A.8.25, A.8.26 | ID.RA-01, PR.PS-01, PR.PS-06 | CIS 16, CIS 7 | — | SI-2, RA-5, SC-7 | B-13 Patch Mgmt, B-13 Vulnerability Management | — |
T6Erlang/OTP public_key TLS Certificate-Validation Flaws (CCCS AV26-522) |
| A.8.8, A.8.24, A.8.20, A.5.14 | ID.RA-01, PR.DS-02, PR.PS-01 | CIS 7, CIS 16 | — | SI-2, SC-8, SC-17, RA-5 | B-13 Patch Mgmt, B-13 Vulnerability Management | — |
Privacy Act / PIPEDA & OSFI:none of today's threats independently triggers a Canadian federal privacy or financial-regulator obligation, these are vulnerability disclosures, not confirmed breaches of Canadians' personal data. PIPEDA, and for federally regulated financial institutions OSFI B-13 incident expectations, may still apply where these systems process personal data of Canadians or support regulated services. Assess each against your own data map and regulatory footprint.
Risk Triage
Threats are assigned to primary zones based on their dominant organizational risk characteristic. A threat may appear in a secondary zone when it presents a materially distinct compounding risk dimension.
Active exploitation or weaponized capability with immediate organizational exposure if unaddressed.
- T1FortiClient EMS CVE-2026-35616, KEV, actively exploited, deadline passed
CVSS 9.8 unauthenticated flaw in a security-management server, used to push the EKZ credential stealer to managed endpoints. The CISA KEV remediation deadline (April 9) has already lapsed, patch to 7.4.7 and threat-hunt endpoints now.
- T2Gogs RCE zero-day, unpatched, exploitable on default config
No patch exists. On default-configured, internet-facing instances an attacker self-registers and gains code execution as the server user. Disable open registration and restrict network exposure immediately.
- T4secondaryDirty Frag, public PoC for Linux-kernel LPE on Mitel/Unify appliances
A working public exploit (V4bel/dirtyfrag) exists. Local access yields root on the appliance; prioritize patching internet-adjacent or shared-management Mitel/Unify systems.
Confirmed campaign or large-scale exposure with direct impact on organizations or their data.
- T3Gitea, ~30,000 registries exposed private images for ~4 years
Unauthenticated pull of private container images (CVE-2026-27771) across ~30k deployments in 30+ countries. Treat as a data-exposure incident: upgrade to 1.26.2 and rotate any secrets baked into previously-exposed images.
- T1secondaryFortiClient EMS, active EKZ credential-stealer campaign
Beyond the patch, this is a live campaign harvesting browser credentials and cookies from endpoints managed by compromised EMS. Assume harvested credentials are compromised and rotate.
Structural control deficiencies revealed by the day's threats, independent of any single exploit.
- T3"Private" that wasn't, access-control assurance gap
A four-year unauthenticated exposure means no one verified that "private" developer assets were actually access-restricted. Periodic attestation that private = enforced belongs in third-party/DevOps risk reviews.
- T6Trust in the TLS stack beneath named apps, Erlang/OTP
Certificate-chain forgery in OTP's public_key undermines mutual-TLS guarantees for brokers/databases teams rarely inventory as "the Erlang stack." Runtime/library components need their own patch-SLA and assurance.
- T5Insecure deserialization in a third-party module, Drupal
An unauthenticated RCE via PHP unserialize() in a contrib module is a secure-development and module-inventory gap: which acquired modules handle untrusted input, and how fast can they be patched.
Cross-cutting pattern requiring board-level awareness and programme-level response.
- T2 · T3 · T5Developer & self-hosted infrastructure is production attack surface
Half the register lands on self-hosted developer platforms (Gogs, Gitea, Drupal commerce) that hold source code, secrets, and build pipelines. Treat version-control servers, registries, and their dependencies with the same inventory, patch-SLA, segmentation, and monitoring discipline as the crown-jewel systems they protect.
- T4secondaryAppliances are computers, telephony/UC estate needs lifecycle governance
Dirty Frag reaches Mitel/Unify systems through the Linux kernel they embed. Voice and contact-center appliances need the same inventory, segmentation, and patch governance as servers, not black-box treatment.
Remediation Actions
Consolidated actions across all six threats, organized by time horizon. T-badges indicate which threat each action addresses.
0 – 24 hours
Immediate response
- T1Upgrade FortiClient EMS to 7.4.7 (or apply the FG-IR-26-099 hotfixes for 7.4.5/7.4.6). Remove EMS management interfaces from direct internet exposure. The CISA KEV deadline has already passed.
- T1Threat-hunt endpoints managed by any vulnerable EMS for the EKZ infostealer (fake FortiEndpoint_Patch.exe, C2 83.138.53[.]110); rotate any browser-stored credentials that may have been harvested.
- T2On any internet-facing Gogs instance, set DISABLE_REGISTRATION=true, restrict access to VPN/IP-allowlist, and disable 'Rebase before merging' until a patch ships. No vendor fix exists yet.
- T3Upgrade Gitea/Forgejo to 1.26.2. Identify previously-exposed private images and begin rotating any secrets/credentials baked into them; treat them as compromised.
7 days
Short-term hardening
- T4Inventory all Mitel/Unify appliances in CCCS AV26-524 scope and apply the May 28 vendor firmware that incorporates the Dirty Frag kernel fixes (CVE-2026-43284, CVE-2026-43500). A public PoC exists.
- T5Confirm whether any public-facing Drupal site uses the AlternativeCommerce (Basket) module; if so, update to 2.1.17. Restrict anonymous access and review logs for anomalous serialized payloads in the interim.
- T6Upgrade Erlang/OTP to 29.0.1 / 28.5.0.1 / 27.3.4.12 / 26.2.5.21 (or matching public_key), prioritizing services that rely on mutual-TLS or client-certificate authentication.
- T2T4Where patches cannot land in-window, apply compensating controls: network-segment and access-restrict Gogs servers and Mitel/Unify appliances, and monitor for anomalous local activity.
14 – 30 days
Programme remediation
- T3Complete secret rotation for anything ever stored in exposed Gitea private images. Add a periodic attestation that 'private' developer assets are access-enforced to third-party/DevOps risk reviews.
- T2T3T5Build/refresh an inventory of self-hosted developer infrastructure (version-control servers, registries, CMS/commerce modules), with owners, internet-exposure status, and a defined patch-SLA.
- T4Establish a lifecycle-governance baseline for the telephony/UC and appliance estate: asset inventory, network segmentation, restricted management access, and a firmware patch cadence.
- T6Map which production services depend on Erlang/OTP (RabbitMQ, ejabberd, CouchDB, etc.) and fold runtime/library components into vulnerability management and SBOM tracking.
Ongoing
Structural controls
- T2T3T5Govern self-hosted developer infrastructure as production: it holds source code, secrets, and build pipelines. Apply the same inventory, patch-SLA, segmentation, monitoring, and access-review rigor as crown-jewel systems.
- T1Maintain a KEV-driven patch SLA with the ability to absorb out-of-cycle emergency updates for security tooling, and treat compromise of a management/agent plane as a fleet-wide credential event.
- T4Keep appliances (telephony/UC, network, IoT) in standing vulnerability-management scope, they are computers running general-purpose kernels and inherit upstream flaws.
- T6Extend trust-integrity assurance to the cryptographic/TLS stack beneath applications; periodically validate certificate-validation behavior for services relying on mutual TLS.
Provenance
Intelligence Sources
Cadence
Published each weekday. Primary intelligence drawn from BleepingComputer, SecurityWeek, The Hacker News, The Record, KrebsOnSecurity, and researcher disclosures, supplemented by vendor advisories, the Canadian Centre for Cyber Security, CVE and NVD records, and MITRE ATT&CK frameworks. Use the Share button on any issue to join the distribution list.
Contact Sovereign GRC for risk advisory or a threat profile tailored to your environment
Get Your AI Governance Roadmap →